Restrict bearer token authentication to JSON requests

Bearer tokens are for API/SDK/CLI access — they should only
authenticate JSON requests.
This commit is contained in:
Donal McBreen
2026-04-01 08:35:30 +01:00
parent d63801eae3
commit 13e2c74929
2 changed files with 21 additions and 1 deletions
+1 -1
View File
@@ -56,7 +56,7 @@ module Authentication
end
def authenticate_by_bearer_token
if request.authorization.to_s.include?("Bearer")
if request.authorization.to_s.include?("Bearer") && request.format.json?
authenticate_or_request_with_http_token do |token|
if identity = Identity.find_by_permissable_access_token(token, method: request.method)
Current.identity = identity